The researchers at Talos, Cisco’s cybersecurity intelligence and research unit, have been tracking a recent shift in hacking strategy, according to Martin Lee, who heads the unit’s outreach program in EMEA and Asia

The researchers at Talos, Cisco’s cybersecurity intelligence and research unit, have been tracking a recent shift in hacking strategy, according to Martin Lee, the unit’s technical lead of security research and the manager of the unit’s outreach program in EMEA and Asia. It has to do with the amount of time a malicious code can go unnoticed on compromised systems, and the business models applied by cybercriminals. “Bad guys,” as Lee calls them, are moving from very visible ransomware to crypto mining.

“If your phone was hit with ransomware, it would be really obvious and you'd have to do something about it. If it is running a crypto-miner, it might not be visible to you, aside from the fact that it might be a little warmer than normal, and your battery would drain faster," Lee said in an interview with Calcalist held at Cisco’s offices in Israel last week.

Martin Lee. Photo: Cisco

“From the bad guys' point of view, that means they can persist for longer,” he said.

Rather than hitting you with ransomware, “which is kind of a one time thing,” with crypto-miners their code can stay on compromised systems longer, “and make a little bit of money over a long time.”

Ultimately, cyber-criminals are driven by profit, he said, and while advanced attacks associated with state actors are high profile, “the vast majority of attacks are criminal in nature.”

Lee and his team spend much of their time thinking from the point of view of “bad guys.”

A merger of three threat intelligence groups within Cisco, Talos now employs over 250 full-time threat intelligence analysts in the U.S., Europe, and Asia. Team members in Europe and Asia work from home, giving the company “a lot of flexibility” in term of who it hires, according to Lee.

“It also means that we have people awake at any time of the day, throughout time zones,” he said.

Talos has been instrumental in analyzing such recent attacks as the interference with the 2016 U.S. elections and the attacks targeting Ukrainian infrastructure networks in 2015, 2016, and 2017.

In February, hackers targeted the Pyeongchang, South Korea Winter Olympic Games, attacking the organizer's systems and shutting down monitors, Wi-Fi service, and the official games website prior to the opening ceremony.

Talos published a detailed report on the attack on February 12, dubbing the malware Olympic Destroyer and revealing similar ammo to that used to damage Ukrainian infrastructure in 2017.

In May, Talos researchers alerted the FBI that a malware targeting routers has infected some 500,000 devices, prompting the bureau to advise users of consumer-grade routers to reboot their machines. Talos’ report on the attack stated that the malware, known as VPNFilter, infected devices made by companies such as Linksys and Netgear, using them to collect data, launch subsequent attacks, and destroy the devices.

The devastating NotPetya attack, first detected in 2017, was distributed through an accounting software by a Ukrainian publisher.

In September 2017, the Talos team detected a malicious hidden door that integrated into cleanup software CCleaner. The hackers used the backdoor to profile compromised systems. Eventually, they ran out of disk space, according to Lee.

Talos was able to get a hold of a restored copy of the database, finding in it traces of 800,000 systems logged.

“The malicious code was communicating with a command and control server, was feeding back information about the systems it was running on, and then the bad guys could issue instructions depending on what the system was that it was running on,” Lee said.

This type of evolving, choose-your-own-adventure attack is a crucial change, and something organizations need to be aware of, he said.